Solved

Anonymous Access - Is it safe?

Posted on 2014-02-05
7
364 Views
Last Modified: 2014-02-11
I'm involved in a debate over the safety of allowing internal anonymous (read only) access to a SharePoint 2010 (Enterprise) WCM site.

They have 2 main SharePoint areas, one WCM and the other Collaboration. SharePoint is only accessible within the company network. Authentication is NTLM against 3 trusted domains. Due to corporate aquisitions there are a few hundred employees currently on non-trusted domains.

It's been proposed that we enable anonymous access on the WCM site so all employees can see company announcements. However there's a big push-back against this for 'security reasons'. Nothing specific, just a feeling that opening access somehow opens the collaboration site and other data to attack.

(I will also mention, Federated Services has been considered as an alternative access method for our extra users, but the hardware and configuration requirements are very tight for our timescales.)

Considering that access is only possible from within the company network, there is intrusion detection software configured on all requests to SharePoint, access is read only etc, am I missing something? Should anonymous access to non-sensitive data (admittedly in the same farm as sensitive data) be of major concern to anyone?
0
Comment
Question by:Jamie McAllister MVP
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:Walter Curtis
ID: 39836756
Anonymous access is very useful in the situation your describe. The biggest danger is human error. If for example some creates a site collection that inherits the anonymous access and it is not explicit disabled, then data could be exposed. Consider creating an additional web application where anonymous access is enable and have all other data in a web app that has anonymous disabled and you lower the risk of an error. I have done that on several occasions and it has worked well.

Hope that helps
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39838192
I would suggest to configure access for Authenticated users instead of Anonymous. if not, there are certain groups like domain users which you can use where all the users from domain are member of that group, you can configure access for this group in each domain as a work around.
0
 
LVL 32

Author Comment

by:Jamie McAllister MVP
ID: 39838404
Can anyone tell me an absolute show-stopper for Anonymous access within our network?

Or alternatively an absolute assurance that Anonymous is fine in the scenario I described?

At the moment I need to feed into the decision for a go/no go on anonymous access.
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39838410
It is fine but your security team may not approve or might be an issue in audits.
0
 
LVL 32

Author Comment

by:Jamie McAllister MVP
ID: 39838531
What specific grounds might they not approve on if it is safe?
0
 
LVL 32

Accepted Solution

by:
Jamie McAllister MVP earned 0 total points
ID: 39838748
Spencer Harbar was kind enough to provide some input to this debate on a private forum. I can't cross post the text in full but a summary of the advice is this;

Such content should always be authenticated. Factors such as the content being on the Internal Network, or having IDS in place do not influence the risk management. Having ACL in place would significantly reduce the risk of outages from malicious intent.

Suggested approach is creating accounts for all users, opening up the WCM site to All Authenticated Users if necessary, but always having ACL in place.

Thanks for your input on the question.
0
 
LVL 32

Author Closing Comment

by:Jamie McAllister MVP
ID: 39849632
Spencer Harbar advised against Anonymous Access.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question